netfilter: nf_nat: fix out-of-bounds access in address selection

[firefly-linux-kernel-4.4.55.git] / net / netfilter / nf_nat_core.c

diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index c577b753fb9a2ad88fb46923ff20a9034d17b8ad..1816ad381485621ed5d68ff938662636478128fa 100644 (file)
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -255,7 +255,7 @@ find_best_ips_proto(u16 zone, struct nf_conntrack_tuple *tuple,
         * client coming from the same IP (some Internet Banking sites
         * like this), even across reboots.
         */
-       j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3),
+       j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) / sizeof(u32),
                   range->flags & NF_NAT_RANGE_PERSISTENT ?
                        0 : (__force u32)tuple->dst.u3.all[max] ^ zone);
 
@@ -696,6 +696,8 @@ static int nfnetlink_parse_nat_proto(struct nlattr *attr,
 static const struct nla_policy nat_nla_policy[CTA_NAT_MAX+1] = {
        [CTA_NAT_V4_MINIP]      = { .type = NLA_U32 },
        [CTA_NAT_V4_MAXIP]      = { .type = NLA_U32 },
+       [CTA_NAT_V6_MINIP]      = { .len = sizeof(struct in6_addr) },
+       [CTA_NAT_V6_MAXIP]      = { .len = sizeof(struct in6_addr) },
        [CTA_NAT_PROTO]         = { .type = NLA_NESTED },
 };